JP7522050B2 - CONTROL SYSTEM, CLOSED NETWORK CONNECTION SETTING METHOD, AND PROGRAM - Google Patents

Description

The present invention relates to technology for connecting the cloud and users via a closed network.

In recent years, cloud services have become widespread, and the use of cloud is now a prerequisite for the construction and operation of corporate systems. In addition, interconnect services for connecting clouds to on-premise environments are becoming more common. By using interconnect services, users can build a variety of networks that use the cloud for a variety of purposes.

In addition, in recent years, the number of XaaS companies using the cloud to provide SaaS services has been increasing, and in response, many companies are expanding their use of SaaS to improve business efficiency.

SaaS is usually used on the assumption that it will be accessed from the Internet, but depending on the user's intended use and security policy, there is an increasing demand for secure closed network connections using closed network connection services provided by cloud service providers.

The closed network connection service provided by a cloud service provider requires line resources to connect users to the cloud service provider's physical port. Therefore, in many cases, users use the closed network connection service via a partner that provides the line resources. The interconnection service providers mentioned above are examples of partner providers.

JP 2018-092565 A

However, with conventional technology, when trying to introduce a closed network connection service provided by the cloud through a partner, the operations that users must perform are complicated, making introduction difficult.

The present invention has been made in consideration of the above points, and aims to provide technology that makes it possible to easily introduce closed network connection services provided by the cloud through partners.

According to the disclosed technology, there is provided a control system that executes a process for connecting a router used by a user to a cloud via a closed network, comprising:
a first account operation unit that instructs a first account of the partner in the cloud to create a connection constituting the closed network for a second account of the partner for the user in the cloud;
and a second account operation unit that instructs the second account of the partner in the cloud to create a virtual interface to be used in the connection for the account of the user in the cloud.

The disclosed technology provides a technology that makes it possible to easily introduce closed network connection services provided by the cloud through partners.

1 is a diagram showing an example of a connection configuration using an interconnection system according to an embodiment of the present invention; FIG. 1 is a diagram showing the relationship between areas, locations, etc. FIG. 1 is a diagram showing a comparison between a proposed model and a conventional model. 1 is a diagram for explaining components of an interconnection system according to an embodiment of the present invention; FIG. 1 is a diagram for explaining a resource management method. FIG. 2 is a diagram for explaining connections between resources. FIG. 13 is a diagram illustrating a connection example. FIG. 13 is a diagram for explaining a routing group. FIG. 13 is a diagram illustrating a connection example. FIG. 13 is a diagram illustrating a connection example. FIG. 13 is a diagram for explaining in and out. FIG. 13 is a diagram illustrating an example of FW settings. FIG. 13 is a diagram illustrating an example of NAT settings. FIG. 2 is a diagram illustrating an example of the configuration of an operation system. FIG. 13 is a diagram showing a basic process flow of setting. FIG. 1 is a diagram showing a basic process flow of monitoring. FIG. 13 is a diagram showing an example of a screen displayed on a user terminal. FIG. 13 is a diagram showing an example of a screen displayed on a user terminal. FIG. 13 is a diagram showing an example of a screen displayed on a user terminal. FIG. 13 is a diagram showing an example of a screen displayed on a user terminal. FIG. 13 is a diagram showing an example of a screen displayed on a user terminal. FIG. 13 is a diagram showing an example of a screen displayed on a user terminal. FIG. 13 is a diagram showing an example of a screen displayed on a user terminal. FIG. 13 is a diagram showing an example of a screen displayed on a user terminal. FIG. 13 is a diagram showing an example of a screen displayed on a user terminal. FIG. 13 is a diagram showing an example of a screen displayed on a user terminal. FIG. 13 is a diagram showing an example of a screen displayed on a user terminal. FIG. 13 is a diagram showing an example of a screen displayed on a user terminal. FIG. 13 is a diagram showing an example of a screen displayed on a user terminal. FIG. 13 is a diagram showing an example of a screen displayed on a user terminal. FIG. 2 is a diagram for explaining a closed network connection service of cloud A. FIG. 2 is a diagram showing a processing sequence according to the present embodiment. FIG. 1 is a diagram showing an image of LOA. FIG. 13 is a diagram showing information to be notified to cloud A. FIG. 1 is a diagram illustrating an example of the configuration of a control system. FIG. 2 illustrates an example of a hardware configuration of the apparatus.

The following describes an embodiment of the present invention (the present embodiment) with reference to the drawings. The embodiment described below is merely an example, and the embodiment to which the present invention is applicable is not limited to the following embodiment.

Below, we will first explain the interconnection system that is the premise of the technology according to the present invention, and then explain the technology according to the present invention. This interconnection system allows users to freely select and combine resources such as ports, connections, and components to provide the optimal connection for the user. However, the present invention can be implemented without using the interconnection system described below.

(System configuration)
FIG. 1 shows an overview of the interconnection system in this embodiment. Although FIG. 1 shows area A and area B, there is no limit to the number of areas. The number of areas may be one, or may be three or more. The area may be, for example, a region such as "East Japan" or "West Japan," or may be a region defined by other divisions. In addition, a region having a connection point with a cloud may be set as an area. Note that "cloud" in this specification refers to a cloud service such as AWS (registered trademark), Azure (registered trademark), or Office 365 (registered trademark).

In the example shown in Figure 1, areas A and B are connected by an inter-area network, and communication is possible between areas A and B.

The system consisting of the core 60 and one or more leaves 30 shown in each of area A and area B is called an interconnect system. As will be described in detail later, the core 60 is a functional part consisting of components 20 such as a router 10 and a firewall (FW), and the leaf 30 is a functional part consisting of a network device (router, switch, etc.) that accommodates a port.

The leaf 30 and the core 60 are connected by a physical communication line. A virtual private line (VPN) is established as a connection by setting one or more network devices that constitute the leaf 30 and the core 60. Note that the network devices (routers, switches, servers, etc.) used in this embodiment may be physical devices or devices realized by virtual machines.

The core 60 in the interconnection system is installed, for example, in a data center (hereinafter, DC) 1 of the operator that provides the interconnection system. The leaves 30 are installed in DC 1, as well as DCs 2 and 3, which are DCs of any operator or user. There are no particular limitations on where each function that constitutes the interconnection system is located, and the configuration shown in Figure 1 is merely one example.

The "Colloc" in Figure 1 is an abbreviation of collocation, and means that a user installs his/her own equipment in a DC equipped with a leaf 30 and connects the equipment to the leaf 30. User equipment is connected to the leaf 30 via physical cables, dedicated lines, closed network services, etc. The cloud is also connected to the leaf 30.

Figure 1 shows a user terminal 500, a display control system 100, and a control device 200. The control device 200 is connected to the display control system 100, which provides a GUI (Graphical User Interface) to the user terminal 500. Setting information (parameters, etc.) input from the user terminal 500 through the GUI is sent to the display control system 100, and then sent from the display control system 100 to the control device 200. Based on the setting information, the control device 200 performs settings on one or more network devices that make up the interconnection system. The control device 200 also performs settings on the cloud to be connected. These settings establish a connection between, for example, a router and a cloud.

Figure 2 is a diagram for explaining the relationship between cores 60, leaves 30, areas, and locations in a DC. A location is where a leaf 30 exists, and is the location where a physical connection device (port) is placed (where a patch panel is located). A port is accommodated in a leaf 30. A core 60 belongs to one area.

This is also related to the GUI described below, but even if there are multiple DCs with cores 60 in the same area, these DCs are shown to the user as a single entity. Also, if there are multiple locations in the same area and each location is equipped with a leaf 30, each leaf can be connected to the core 60 in that area in the same way.

A menu that takes area and location into consideration is presented to the user, without making them aware of cores and leaves. This type of display control is performed by the display control system 100 (specifically, the setting GUI unit 110). However, this is just an example, and cores and leaves may also be displayed explicitly.

The leaves of an area are not connected to the cores of other areas. However, this is just an example, and it is also possible for the leaves of an area to be connected to the cores of other areas.

Figure 3 shows a comparison between a conventional interconnection system (conventional model) and an interconnection system according to this embodiment (proposed model).

In the conventional model shown at the top of Figure 3, the user himself must bring in and install his own equipment (routers, firewalls, etc.) in a rack provided in the DC of the conventional model operator, and the user himself must also prepare a line to the user equipment provided in the user DC (DC that has the user equipment).

On the other hand, in the model (proposed model) according to this embodiment, the user can connect the user equipment to the cloud simply by connecting the user equipment to the leaf 30, and then purchasing and configuring router components, etc. from the GUI.

In addition, in the conventional model, the connection from the user equipment to the cloud is only an L2 (layer 2) connection. In other words, the user has to control FW/NAT, etc., on their own equipment. On the other hand, the proposed model can provide L3 connections in addition to L2 connections. In L3 connections, the addition and configuration of FW/NAT, etc. can be done on the GUI.

(Services provided through interconnected systems, etc.)
FIG. 4 is a diagram showing the functional configuration of the interconnection system (and the services provided) from the viewpoint of the services provided by the interconnection system in this embodiment.

Here, a "resource" is a function that provides connectivity to users. Resources include ports (indicated by "P" in Figure 4), routers, connections, and components.

The Buyer in FIG. 4 is a party that uses the services provided by the interconnection system in this embodiment. The Seller is a party that provides services to the Buyer. The aforementioned businesses that provide AWS (registered trademark), Azure (registered trademark), Office365 (registered trademark), etc. are examples of Sellers.

In this specification, the term "user" refers to a buyer, but the "user" may also be a seller. An overview of each resource is as follows:

A port is a resource (physical port) for connecting user equipment to the interconnection system. For example, user equipment can be connected to a port via an optical fiber cable, a leased line, a closed network, etc. In addition, users can purchase multiple ports to achieve a redundant configuration.

A connection is a resource that connects ports or between a port and a router, and in this embodiment is realized by a VPN (Virtual Private Line). A connection is an L3 connection if at least one of the start point (src) and end point (dst) is a router, and is an L2 connection if both src and dst are ports.

A router is a resource that provides L3 routing functions and serves as a peer for BGP connections. A routing group (RG) functions within the router, and a connection that has the router as src or dst connects to the routing group. Users can achieve a redundant configuration by purchasing multiple routers (Paired Routers).

A routing group is a virtual router (VRF) contained in a router. Connections that belong to the same routing group can communicate with each other, but connections that belong to different routing groups must connect via a FW.

A component is a resource that provides additional functions, and in this embodiment, there are L2 components and L3 components. The L2 component is a component of an L2 connection. The L3 component is, for example, a FW and NAT that function between routing groups in a router. Components may also be used as additional functions for ports.

FW (firewall) is a resource that has communication and filtering functions between routing groups. FW is used when you want to allow connections that belong to different routing groups to communicate with each other, or when you want to apply rules to communication between routing groups.

NAT is a resource with an address conversion function. NAT is mainly required when connecting to SaaS (operation with Global IP). Specifically, in the case of communication from a user to SaaS, the user-specified address (private IP address) set in the source IP address is converted to a global IP address, and in the case of communication from SaaS to a user, the global IP address set in the destination IP address is converted to a user-specified address (private IP address).

By selecting and purchasing various resources, users can establish end-to-end (e.g., user equipment-cloud) connectivity. Depending on how the resources are combined, users can also establish a simple end-to-end L2 virtual private line connection, an L3 connection via a router function, or an L3 connection with additional functions. As described below, for example, by selecting the Direct Connect service of AWS (registered trademark), a closed network connection can be realized. A closed network connection may also be called a private network connection, a dedicated line connection, etc.

As shown in Figure 4, the equipment of the user (buyer) who connects to the port is connected to the port by a VLAN within the access line.

The example shows that the seller side has network devices, clouds A to E, and other businesses connected. For example, a user can select a port in a location desired by the user, a router, and a cloud that the user wishes to use on the GUI, thereby building an L3 connection as shown in FIG. 4. Also, for example, a user can select a port in a location desired by the user and a cloud that the user wishes to use (or a port in a location to which the cloud is connected) on the GUI, thereby building an L2 connection as shown in FIG. 4.

Figure 5 shows an image of resource management. As shown in Figure 5, resource management is performed on a tenant and user basis. A user can also create multiple tenants for one contract.

When a user starts using a service, they first create a tenant. Resources are managed on a tenant-by-tenant basis. In addition, access rights to a tenant are set on a per-user basis for each tenant.

Figure 6 shows connections between resources. The granularity of whether or not approval for a connection is required is the tenant. In the example in Figure 6, approval is not required when connecting to resources of the same tenant (example: connection #1). Approval is required when connecting to resources of a different tenant (example: connection #2). Approval is required when connecting to resources of a different subscriber (example: connection #3). For connections with clouds such as connection #4, whether approval is required at the time of connection is determined for each cloud.

Each resource will be explained in more detail below. Note that the usage of resources explained below is based on general usage in this interconnection system. An example assuming a closed network connection service related to the present invention will be described later.

(About ports)
A user purchases a port by specifying an area and location on a GUI screen. The port connection location information is recorded, and the user notifies the network operator of the port connection location information so that the user's equipment can be connected (wired) to the port.

After the wiring is complete, the user activates the port from the GUI screen (specifically, the port transitions from "Shut" to "No Shut"). When the port is activated, packets can be passed through the port and billing begins.

The user can obtain VLANs in units of 16 from the GUI screen. The number of VLANs obtained here becomes the number of connections that can be made from the port.

When the user specifies a port as the src of a connection from the GUI screen, the user selects the VLAN-ID to be set for the connection from the VLAN range. This creates a VLAN interface in the interconnection system. When specifying a port as the dst of a connection, the destination VLAN information is provided in advance, and that information (VLAN-ID, etc.) is entered from the GUI. The port bandwidth can be selected, for example, 1G or 10G. The user can also select the type of the selected port (0 system, 1 system, ...) on the GUI screen.

Figure 7 shows an example of a case where ports are used. In the example of Figure 7, connection #1 is established for VLAN:x between one port of src (or dst) and two ports of dst (or src), and connection #2 is established for VLAN:y.

(About the router)
A user can purchase a router by specifying an area. In this embodiment, when a user purchases a router, eight routing groups are created. Fig. 8 shows an image of a case where a routing group is used. Fig. 8 shows an example in which a FW is placed between routing groups.

The communication in Figure 8 can also be achieved by replacing the routing group in Figure 8 with a router. In other words, the configuration shown in Figure 8 is essentially the same as a router-FW-router configuration. However, by using a routing group as in Figure 8, it is possible to make it appear to the user as a setting inside the router.

When a user specifies a router as the src or dst of a connection on the GUI screen, the user specifies which of the router's multiple routing groups the connection should belong to.

When a router is specified as the src or dst of a connection, the connection is set as an L3 connection. An interface is created for each connection, and an IPv4 or IPv6 address is assigned to the interface. Routing is set for each connection. The routing can be BGP or Static.

(About connections)
As already explained, if a port is specified for both src and dst, the connection becomes an L2 connection, and if a router is specified for either src or dst or for both, the connection becomes an L3 connection.

When a user selects a provider such as a cloud as the dst of a connection, the user selects the port to which the provider is connected, and a connection is established between the src and the selected port. In other words, the user can establish a connection to a cloud simply by selecting the cloud, without being aware of the cloud's connection point, which may differ for each cloud.

In this embodiment, the user can select from the GUI screen either a single connection, which is a single connection, or a paired connection, which is a set of two connections.

Figure 9 shows an example of a single connection between ports and a single connection between a router and a port. Figure 10 shows an example of a paired connection between ports and a paired connection between a router and a port.

In a paired connection, the same parameters are applied to both connections as a rule. Also, in a paired connection, when a two-line redundant configuration is used and connections go through a FW or NAT, the two connections are controlled as a set.

For L3 connections, routing is set for each connection. The settings allow for the reception of 4-byte AS routes, and also include MED/AS-PATH prep settings (in/out) and route filter settings (in/out). In addition, out allows for the setting to convert route advertisements to default routes/summarized routes only, and in allows for the setting to convert route reception to default routes only.

As shown in Figure 11, out is route advertisement from the interconnection system to the outside, and in is route reception from the outside to the interconnection system.

(About the forwards)
The FW, one of the L3 components, will now be described. The FW is a component that can be used in combination with a router, and is used to connect different routing groups. It can also be used in combination with NAT.

Applications (TCP/UDP port numbers) and IP addresses can be specified as rules for traffic matching conditions in the FW communication policy. Policies have an order, and the FW evaluates traffic in order from the top of the list. If traffic matches the conditions of any policy, the FW will not evaluate subsequent rules. The FW discards communications that are not permitted by the policy. The smallest unit of policy is the address set, and multiple address sets can be set within a group.

Figure 12 shows an example of a communication policy in the FW. In the example of Figure 12, the connection connected to base 1 belongs to routing group #X, and the connection connected to cloud B belongs to routing group #Y. Figure 12 shows, for example, a policy in which SSH to address-set #1 is OK, but Telnet to address-set #4 is NG.

(About NAT)
Next, we will explain NAT. NAT is a component that can be used in combination with a router and can be used in combination with FW. NAT rules are applied between routing groups, and provide three target protocols: TCP/UDP/ICMP.

NAT has a NAPT function that converts private IP addresses to global IP addresses, and a NAT function that converts global IP addresses to private IP addresses. Figure 13 shows an example of when NAT rules are applied between routing groups.

(Operation System)
14 is a diagram showing an example of the configuration of an operation system according to the present embodiment. The operation system according to the present embodiment includes a display control system 100, a control device 200, and a monitoring device 300.

The target network 400 has network devices that realize the ports, connections, routers, etc. described above, is a network that is the subject of configuration and monitoring, and is a network that includes the interconnection system according to this embodiment. The network includes one or more network devices. Note that a system that includes the interconnection system and the control device 200 may be called a network system.

When configuring the target network 400 from the control device 200, the L3 connection is configured to at least the network devices on the path of the L3 connection in the interconnection system, and the L2 connection is configured to at least the network devices on the path of the L2 connection in the interconnection system. The settings in the network devices to establish the L2/L3 connection can be done using existing technology. When connecting to a cloud, settings from the control device 200 to the cloud are also done. The settings when establishing a router, FW, NAT, etc. can be done using existing technology.

The user terminal 500 is a terminal operated by a user who configures, for example, ports, connections, routers, etc. on a GUI screen. Note that "configuration" is a general term for adding, changing, deleting, etc. resources.

The display control system 100 transmits GUI screen information to the user terminal 500 and causes the user terminal 500 to display the GUI screen. In addition, transmitting GUI screen information to the user terminal 500 and causing the user terminal 500 to display the GUI screen can also be rephrased as displaying the GUI screen on the user terminal 500. The display control system 100 also receives information input to the user terminal 500 via the GUI screen from the user terminal 500 and performs processing based on the received information.

The display control system 100 has a setting GUI unit 110 and a monitoring GUI unit 120. The setting GUI unit 110 displays a GUI screen on the user terminal 500 for configuring resources such as ports, connections, and routers, such as adding, changing, and deleting, receives information input to the user terminal 500 via the GUI screen from the user terminal 500, and performs processing based on the received information.

The monitoring GUI unit 120 displays a GUI screen on the user terminal 500 for checking traffic and normality in resources set by the user, receives information input to the user terminal 500 via the GUI screen from the user terminal 500, and performs processing based on the received information.

The setting GUI unit 110 and the monitoring GUI unit 120 work together. For example, when a user operates the GUI screen displayed on the user terminal 500 by the setting GUI unit 110 to select "monitoring," the monitoring GUI unit 120 displays a monitoring GUI screen on the user terminal 500.

The control device 200 is provided with a management database that stores configuration information (area information, location information, facility information for each area and location in the target network 400, etc.) and setting information indicating what settings have been made for each user (what resources are being used). The control device 200 receives information input via a setting GUI screen from the setting GUI unit 110, and sets ports, connections, routers, clouds, etc. based on that information. The setting GUI unit 110 may also be provided with the above-mentioned management database.

The monitoring device 300 has a management database similar to the management database of the control device 200 by receiving information from the control device 200. Alternatively, the monitoring device 300 may be able to access the management database of the control device 200. The monitoring device 300 also has a monitoring database, and based on configuration information in the management database, for example, periodically collects monitoring information such as traffic, flow information, and alarm information from each network device, and stores the collected information in the monitoring database. The monitoring GUI unit 120 may also have the above-mentioned management database. The monitoring GUI unit 120 may also have the above-mentioned monitoring database.

For example, the monitoring GUI unit 120 obtains monitoring information corresponding to the resources of a specific user from the monitoring database of the monitoring device 300 based on the resource setting information of the specific user, creates a GUI screen, and displays it on the user terminal 500.

The display control system 100 may be one or more devices having the setting GUI unit 110 and the monitoring GUI unit 120, or may be one or more devices each of the setting GUI unit 110 and the monitoring GUI unit 120. These devices may be physical machines or virtual machines. Furthermore, when the setting GUI unit 110 and the monitoring GUI unit 120 are each provided as devices, these may be referred to as a setting GUI device and a monitoring GUI device. Furthermore, the display control system 100 may be a device having only the setting GUI unit 110.

The control device 200 and the monitoring device 300 may each be a physical machine or a virtual machine. In addition, the control device 200 and the monitoring device 300 may be a single device.

(Sequence example)
Fig. 15 shows a basic sequence when a user sets resources such as ports, connections, and routers. The sequence is explained below. An example of a GUI screen will be described later. Note that the sequence shown in Fig. 15 (and Fig. 16) is one example.

In S101, the setting GUI unit 110 acquires configuration information from the management database of the control device 200. In S102, the setting GUI unit 110 creates information for a GUI screen based on the configuration information and transmits the information to the user terminal 500. A GUI screen depicting, for example, a network configuration connecting multiple clouds and areas is displayed on the user terminal 500.

When the user operates the user terminal 500, for example, to select and purchase the desired resource on the GUI screen and input the setting information (parameters), the setting information is sent to the setting GUI unit 110 in S103.

In S104, the setting GUI unit 110 transmits the setting information to the control device 200. In S105, the control device 200 generates a setting command for the target network device corresponding to the selected resource based on the setting information, and transmits the setting command to the target network device.

When the setting in the target network device is completed, a setting completion is returned to the control device 200 in S106. The control device 200 that receives the setting completion record information indicating that the setting is completed as information for the corresponding device in the management database.

In S107, a notification of completion of the settings is sent to the setting GUI unit 110. The setting GUI unit 110, which has received the notification of completion of the settings, creates a GUI screen indicating that the settings of the relevant resource have been completed, and in S108 displays this on the user terminal 500. Note that the GUI screen indicating that the settings of the relevant resource have been completed may be displayed based on a request from the user terminal 500.

Figure 16 shows an example of a sequence in which a user views monitoring information (e.g., traffic volume) of a resource (e.g., a connection) on a GUI screen.

In S201, the monitoring device 300 collects monitoring information from network devices and clouds that constitute the target network 400, and stores the collected monitoring information in a monitoring database. Note that S201 is performed, for example, periodically.

For example, assume that at this point in time, the user issues an instruction to display specific monitoring information for a specific resource on the GUI screen displayed on the user terminal 500. In S202, the instruction information is sent from the user terminal 500 to the monitoring GUI unit 120.

Based on the instruction information, the monitoring GUI unit 120 obtains monitoring information for the resource specified by the user from the monitoring database of the monitoring device 300 (S203 to S204).

In S205, the monitoring GUI unit 120 creates information for a GUI screen that displays the monitoring information for the resource specified by the user, and displays the GUI screen on the user terminal 500.

(GUI screen example)
17 to 30 show examples of GUI screens displayed on the user terminal 500 by the setting GUI unit 110. Note that the screen examples shown in Figs. 17 to 30 are merely examples. The display positions of elements shown in each screen example (for example, the group of buttons displayed on the left edge) may be changed as desired. In addition, the "start point" below may be replaced with the "end point," and the "end point" below may be replaced with the "start point."

Figure 17 is an example of a GUI screen displayed on the user terminal 500 in the initial stage of setup, showing the area in which the interconnection system exists and the clouds etc. that can be connected from that area. "Connectable" means that a connection can be established. In the example of Figure 17, for example, cloud A and area A can be connected, so they are connected with a line. That cloud A and area A can be connected means that cloud A is connected to a port of the interconnection system in area A, and that port can be connected to other ports or routers in area A. Area B is also shown, but because tenant A belongs to area A, the connection to area A is shown.

In the example of Figure 17, the connection for area A is shown, but it is also possible to display the connection details for each of multiple areas, as shown in Figure 18.

Note that displaying a network configuration in which areas and clouds are connected by lines, as in Figures 17 and 18, is one example. For example, the lines do not have to be shown. Also, the objects connected to the cloud by lines may not be area names, but may be location names, company names, service names, etc.

When the GUI screen shown in FIG. 17 is displayed and the user selects (clicks) area A on the screen, the GUI screen shown in FIG. 19 is displayed.

As shown in Figure 19, an overview of the facilities in Area A is displayed within the frame of Area A. Note that Figure 19 shows one location (the location indicated by "2", where the port is located) as an example, but typically multiple locations are displayed.

Figures 20 to 23 show examples of GUI screens that are displayed when purchasing a port. As shown in Figure 20, when you click on the "Port" section in the upper left of the screen, a screen will appear, as shown on the right, where you can choose to purchase, activate, or deactivate the port. The field above "Purchase" displays an overview of the port, an explanation of the lead time (the need to request physical construction work after purchase), etc.

When the user clicks "Purchase", the screen shown in Figure 21 is displayed. Figure 21 displays the guidance "A port will be set in the specified location (data center)."

When the user selects a location marked "2," the screen shown in Figure 22 is displayed. The user selects (inputs) parameters such as bandwidth, number of VLANs, SW, etc., and clicks "Confirm." Note that selecting a location also means selecting a port.

Then, an LOA is issued from the system side (e.g., control device 200). The user notifies the network operator of the LOA, and, for example, the user equipment is connected to the port with an optical cable. When the user activates the port, packet transmission and reception becomes possible and billing begins. Note that this is just one example. Different processing may be performed in the processing related to the closed network connection service described later.

When the user selects "Router" on the left side of the screen in Figure 19, a screen is displayed on which they can select "Purchase," "Add-on Settings," or "Cancel." If they select "Purchase" there, the screen shown in Figure 23 is displayed. Here, the user can select whether or not there is redundancy (one of the parameters). If there is no redundancy, a single router will be purchased, and if there is redundancy, a paired router will be purchased.

When "Router" on the left side of the screen in Fig. 19 is selected, and then "Add-on Settings" is selected, the screen in Fig. 24 is displayed. As shown in Fig. 24, for FW, "New Purchase", "Settings", and "Cancel" can be selected, and for NAT, "New Purchase", "Global IP Address Settings", "Policy Settings", and "Cancel" can be selected.

For example, when "Settings" for FW is selected, the screen shown in FIG. 25 is displayed. The user can configure the FW by inputting various parameters on this screen.

For example, if you select "Connection" on the left side of the screen in Figure 19, the screen in Figure 26 will be displayed. As shown in Figure 26, various connection patterns are displayed, and the user can select the desired connection pattern.

For example, if a user wishes to connect his/her equipment to cloud A, he/she selects "Cloud A" in the cloud connection. In this embodiment, by selecting "Cloud A", the port in the interconnection system to which "Cloud A" is connected is selected as the destination (dst). However, if there are multiple ports (multiple locations) to which "Cloud A" is connected, the user may be allowed to select one port (location) from the multiple ports (multiple locations) as the destination.

When "Cloud A" is selected, the screen shown in Figure 27 is displayed. When the user selects a router (cylindrical image) as the starting point on this screen, a parameter input screen like that shown in Figure 28 is displayed, and the user inputs parameters such as bandwidth, BGP setting information, and information for cloud connection approval. "ABC" in Figure 28 is the name of the cloud.

The ports and routers that you are prompted to select when purchasing a "Connection" may be ones that you purchased before purchasing the "Connection", or they may be purchased when you are prompted to select them when purchasing the "Connection".

Once you have finished entering the parameters and clicked "Confirm", a screen showing the parameters you entered will be displayed, and clicking "Purchase" will create the L3 connection.

The parameters that need to be set for cloud connection differ for each cloud. In this embodiment, the setting GUI unit 110 or the control device 200 knows the parameters required for each cloud. When a certain cloud is selected, the user is prompted to input parameters that need to be input from among the parameters required for setting up a connection to that cloud on the screen in FIG. 28, and for the other parameters, the setting GUI unit 110 or the control device 200 automatically determines and sets the necessary parameters for the target network device or that cloud.

Examples of parameters that the user must input include an ID or key issued by the cloud for connection approval (connection authorization). Examples of parameters that are automatically determined by the system include the bandwidth set on the cloud side. This mechanism allows users to easily connect to various clouds without having to research the parameters for each cloud.

When the user clicks on "History" on the left side of the screen, the history of past applications (resources purchased, date and time, parameters entered, progress of configuration (processing, completed), etc.) is displayed and the user can check it. The progress of configuration can be determined by whether or not the completion of configuration shown in Figure 15 has been received.

In addition, when the user selects (clicks) a location (port), router, connection, etc. on the screen shown in FIG. 19, details of the selected part are displayed and the user can check the details. FIG. 29 is an example of the screen that is displayed when the connection between the router and cloud A is clicked.

Note that the examples in Figures 27 and 28 show a case where a router is selected as the starting point of the cloud connection, but if a port is selected as the starting point of the cloud connection, a parameter input screen for the L2 connection is displayed, and the L2 connection is established by inputting the parameters.

Also, for example, when "Router-to-port connection" is selected on the screen of FIG. 26, a screen for selecting the starting router is displayed, and when the starting router is selected, a screen for selecting the end port is displayed, and when the end port is selected, an L3 connection between the router and port is established after inputting parameters.

Also, for example, when "Port-to-port connection" is selected on the screen in FIG. 26, a screen for selecting the starting port is displayed, and when the starting port is selected, a screen for selecting the end port is displayed, and when the end port is selected, an L2 connection between the ports is established after parameters are entered.

Resource settings can also be easily changed. For example, by selecting the connection for which the settings are to be changed on the screen and clicking "Change Settings," the settings change screen shown in Figure 30 is displayed. The user can change the settings by inputting the changed parameters, etc.

When the settings such as adding and changing resources have been completed and operation has started, for example, by clicking "Monitoring" at the bottom left of FIG. 19 displayed by the setting GUI unit 110, monitoring information about the resources of the user is displayed on the user terminal 500. This monitoring information is displayed by the monitoring GUI unit 120. This control is realized by, for example, clicking "Monitoring" on the screen, which causes the setting GUI unit 110 to notify the monitoring GUI unit 120 of a display instruction.

(Regarding closed network connection services)
As mentioned above, the closed network connection service provided by the cloud service provider requires line resources to connect the user to the physical port of the cloud service provider. Therefore, in many cases, the user uses the closed network connection service through a partner that provides line resources.

In this embodiment, the operator providing the interconnection system described above becomes the partner and provides the line resources of the interconnection system to the user, enabling the user to use the closed network connection service provided by the cloud operator.

In this embodiment, the "closed network connection service provided by the cloud service provider" is not limited to a specific one, but in the following explanation, we will assume that the "closed network connection service provided by the cloud service provider" is the Direct Connect service of AWS (registered trademark).

The issues described below are assumed to be related to the AWS (registered trademark) Direct Connect service, but these issues may arise in other services besides the AWS (registered trademark) Direct Connect service. Therefore, hereafter, a closed network connection service having the following issues will be referred to as a cloud A closed network connection service. The AWS (registered trademark) Direct Connect service is an example of a cloud A closed network connection service.

As mentioned above, users use Cloud A's closed network connection service via a partner. However, the configuration method and installation procedures are complicated, making it difficult for some small and medium-sized businesses to adopt the service.

(Issues regarding Cloud A's closed network connection service)
The following describes the problems that exist in the prior art when a user uses the closed network connection service of cloud A via a partner.

When a user wants to use Cloud A's closed network connection service, the user first contacts the partner and has the partner create a connection called a hosted connection. A hosted connection corresponds to a layer 2 communication path (bandwidth) between the user's connection point (for example, a router provided by the partner to the user) and a port on Cloud A's side. A hosted connection is assigned a dedicated bandwidth for the user.

In order for a user to use a hosted connection, the user must first have the partner create the hosted connection, and then consent to the user's use of the hosted connection created by the partner (i.e., to paying the fee). The cloud A operator will charge the user a connection fee based on the bandwidth of this hosted connection.

To connect to resources in cloud A at layer 3 using a hosted connection (layer 2 communication path), it is necessary to create a VIF (Virtual Interface) in cloud A. Creating a VIF is equivalent to configuring layer 3 settings (e.g. BGP settings) in cloud resources to connect user resources (e.g. routers provided by partners to users) and cloud resources (e.g. cloud routers) at layer 3.

Here too, the user will have the partner (partner's account) create the VIF for them. A VIF created by someone other than the user in this way is called a "Hosted VIF." When a Hosted VIF is created, the user must take action to accept it.

In this embodiment, a public hosted VIF is created to connect to public resources in cloud A. However, this is not limited to this.

Public VIFs (including public hosted VIFs) have the following attribute parameters, including Global-IP:

(1) Address for connection between cloud A and on-premise (user) (2) ASN on the on-premise side for configuring BGP peer between cloud A and on-premise
(3) Global IP address that directly communicates with public resources in Cloud A (advertised from on-premise) After the public hosted VIF is accepted by the user, Cloud A checks whether the Global IP and ASN included in this attribute are assets owned by the user. If the asset is assigned by a third party (e.g. a partner), the third party must prove to Cloud A that they assigned the asset to the user.

In addition, in the case of Cloud A's closed network connection service, when connecting to Cloud A via a public VIF, a large amount of route information (global IP prefixes) held by Cloud A is advertised to the connection source (the router used by the user) via BGP.

<Summary of issues when using Cloud A's closed network connection service>
As mentioned above, there are some points in the closed network connection service of cloud A that make it difficult for users to adopt it. These points can be summarized as the following three points (1) to (3). Note that in the closed network connection service of cloud A, there are three types of VIFs mentioned above: Private, Transit, and Public. For reference, which of the following issues applies to each type is shown below.

(1) [Private-VIF/Transit-VIF/Public-VIF common]
Introducing Cloud A's closed network connection service via a partner requires the purchase of multiple resources consisting of a "hosted connection (connection fees charged according to bandwidth)" and a "hosted VIF (fees charged according to data transfer volume)." This means that the process of operations and approval required to use the service is complicated and difficult.

(2) [Public-VIF]
If a user does not have a Global-IP or an ASN or does not want to maintain them, it is difficult to establish a closed network connection using a public VIF, which requires the use of these.

(3) [Public-VIF]
When connecting to cloud A using a public VIF, many global IPs owned by cloud A are advertised to the connection source by BGP. Therefore, it is difficult for users to make a closed connection to only the necessary SaaS. This results in unnecessary consumption of line traffic on the closed network connection.

(Summary of the technology to solve the problem)
In this embodiment, in order to support the above three points, the following mechanism is adopted in the interconnection system of the embodiment. The "partner" below is a business that provides the interconnection system according to this embodiment. However, this is not limited thereto, and the "partner" may be a business other than the business that provides the interconnection system according to this embodiment.

<Technology to solve (1)>
In the past, a "hosted connection" and a "hosted VIF" were created in the user's cloud A account from the partner's cloud A account, and the user had to approve and pay for these two resources. This made the process of operations and approvals difficult.

On the other hand, in the technology according to this embodiment, the "hosted connection" is created in the "second cloud A account owned by the partner," and the partner absorbs the approval and billing procedures, creating a "hosted VIF" from the "second account" to the user's cloud A account. With this method, the user only needs to approve the "hosted VIF" and pay the bill, reducing the number of operations by half and simplifying the procedure.

In addition, because the approval process for a "hosted connection" is completed within the partner, there is no need to wait for user operations when linking with the API, making it possible to realize an on-demand application function that allows for rapid provisioning.

<Technology to solve (2)>
In this embodiment, when an on-demand cloud A closed network connection service is applied for from a user to the interconnection system (partner), the interconnection system (partner) lends the user an ASN and a global IP for connecting/communicating with cloud A. Also, an LOA (LETTER OF AUTHORIZATION) is automatically generated to certify to cloud A that the service has been lent, and the user can download it. The download can be performed, for example, by using the history inquiry UI on the GUI screen already described.

This allows the user to actively contact cloud A and activate the VIF immediately after establishing a connection to cloud A's closed network connection service. The LOA is automatically generated when the on-demand application is completed.

<Technology to solve (3)>
In this embodiment, in order to solve the problem that a large amount of route information is sent from cloud A to the connection source by BGP, when a connection (L3 connection) is established between cloud A and a router in an interconnection system, the router side is allowed to set a receiving route filter in a whitelist format as an attribute value. By specifying only the route information (prefix) that the user wishes to set, the route information is registered in the whitelist in the router, and only network prefixes included in the route information (prefix) registered in the whitelist are accepted as valid BGP routes.

This allows users to access only the public resources of cloud A that they need via a closed network connection to cloud A.

The user can set the above whitelist from the GUI screen, for example, by referring to the public prefix list (JSON format) published by cloud A.

<Effects of this embodiment>
The above-mentioned technology makes it possible to easily and quickly provide users with closed network connections to public services and XaaS, etc., deployed on cloud A, which has the effect of lowering the barrier to cloud adoption for all companies.

The following provides a more detailed explanation of the technology related to the closed network connection service of cloud A in the interconnection system of this embodiment. The basic configuration of the interconnection system has already been explained. Below, we will explain in detail the parts related to the aforementioned technologies (1) to (3).

(Cloud A's closed network connection service)
Fig. 31 shows a connection form when using the closed network connection service of cloud A through an interconnection system. The L2-Connection, L3-Connection (single), and L3-Connection (paired) shown in Fig. 31 respectively refer to the L2 connection and L3 connection (single, paired) described in Fig. 9, Fig. 10, etc.

As shown in FIG. 31, the user can select the cloud A's closed network connection service and its type (Private-VIF/Transit-VIF/Public-VIF) on the GUI screen as the cloud, which will create a corresponding L3 connection in the interconnection system and allow the user to use the closed network connection service of cloud A.

As an example, in the GUI screen shown in FIG. 19, in addition to cloud images such as "Cloud A," a cloud image for "Cloud A's private network connection service: Private-VIF," a cloud image for "Cloud A's private network connection service: Transit-VIF," and a cloud image for "Cloud A's private network connection service: Public-VIF" are displayed. After purchasing a port and a router, for example, the user can click on the image of the service they wish to apply for as a connection between the router and the cloud to create the relevant connection (new purchase).

For example, if the user selects "Cloud A's closed network connection service: Public-VIF", a hosted connection and a hosted public VIF are created. The processing operation for this case is explained below.

(sequence)
FIG. 32 shows the sequence when a user purchases a new public hosted VIF connection from the GUI.

In FIG. 32, a user performs operations from a user terminal 500. The control system 600 is a system including the setting GUI unit 110 and the control device 200 described above. However, this is not limited to this, and for example, the control system 600 may include a setting GUI unit in the control device 200. The control system 600 may be called a control device. The control system 600 may be realized by one server (computer) or multiple servers.

"Cloud A" in Figure 33 is an entity that provides various cloud services. In reality, "Cloud A" is made up of servers in data centers located in multiple locations around the world.

"Cloud A (user account)" in FIG. 32 indicates the functions of cloud A for a user when connected to cloud A with the user's account. For example, when a user logs into cloud A from a user terminal 600 with the ID and password of his or her account, all the functions that can be provided to the user from cloud A correspond to "cloud A (user account)." This function of cloud A (i.e., cloud A (user account)) may be called the "user's account."

In this embodiment, the provider of the interconnection system becomes the partner of the user. The partner has two different accounts for cloud A, a first account and a second account. The meanings of "cloud A (first account)" and "cloud A (second account)" are the same as those of "cloud A (user account)".

In conventional technology, cloud A (partner's account) creates (assigns) a hosted connection to cloud A (user's account), but in this embodiment, cloud A (partner's first account) assigns the hosted connection to cloud A (partner's second account), reducing the user's need to approve the assignment of the hosted connection. The sequence is described below.

In S301, the user purchases (applies for) a new connection by selecting "Cloud A's closed network connection service: Public-VIF" from the user terminal 500.

In S302, the control system 600, which has received an application for the "Cloud A closed network connection service: Public-VIF", uses an API Call to instruct Cloud A (first account) to execute an operation to allocate a hosted connection to Cloud A (second account). This instruction may also be expressed as "instructing the first account of Cloud A to create a connection that constitutes a closed network for the second account of Cloud A."

In S303, cloud A (first account) allocates a hosted connection to cloud A (second account). This causes the partner's second account to receive the bandwidth of the hosted connection. However, it is the user who actually uses this bandwidth, and the bandwidth is the layer 2 bandwidth for the connection between the router purchased by the user and cloud A.

In S304, the control system 600 uses an API call to perform an operation on cloud A (second account) to accept the hosted connection created from the first account. In S305, cloud A (second account) accepts the hosted connection.

In S306, the control system 600 uses an API Call to instruct cloud A (second account) to create a hosted VIF for cloud A (user account). Creating a hosted VIF for cloud A (user account) means creating a hosted VIF for the user account. The above instruction may also be expressed as "instructing the second account of cloud A to create a virtual interface to be used in the connection for the user account of cloud A."

In S307, cloud A (second account) receives the instruction and performs an operation to create a host-side VIF on cloud A (user account). In other words, it creates a host-side VIF for the user.

In S308, the control system 600 performs settings for L3 connection and reflects data (such as a whitelist of route information) for the routers and other devices purchased by the user in the interconnection system. In S309, the control system 600 creates the LOA described above. In S310, the control system 600 sends a completion notification for the new purchase in S301 to the user terminal 500.

In S311, the user terminal 500 performs an operation on cloud A (user account) to accept the hosted VIF, and in S312, cloud A (user account) accepts the hosted connection, and in S313 notifies the user terminal 500 that acceptance has been completed.

In S314, the user terminal 500 requests the control system 600 to download the LOA, and in S315, the LOA is obtained.

In S316, the user terminal 500 submits the LOA to cloud A (user account). At cloud A, a person in charge checks the LOA, and in S317, activates the user's hosted VIF. In S318, cloud A (user account) sends a completion notification for S316 (indicating that the VIF is now available) to the user terminal 500. This allows the user to use the closed network connection service of cloud A.

As described above, the user can use the closed network connection service of cloud A with simple operations on the user terminal 500.

(About LOA)
An image of the LOA created in S309 and provided to the user terminal 500 in S315 is shown in Fig. 33. Such an LOA is submitted to cloud A. An example of information written in the LOA and notified to cloud A is shown in Fig. 34. As shown in Fig. 34, necessary information is extracted from the contents of the end user's application, and the LOA is automatically created.

(Whitelist settings)
Regarding the setting of the whitelist for filtering the BGP route information described above, for example, when a user purchases a connection (or a router), a screen such as that shown in Fig. 28 is displayed on the user terminal 500, and the user inputs the route information (prefixes) that the user wishes to accept from among the many pieces of route information advertised by cloud A in the BGP Filter Ingress field. Based on this input information, for example, in S308 of Fig. 32, a whitelist is set in the router purchased by the user. Note that, although a whitelist is used in this embodiment, a method of designating route information that is refused to be accepted as a blacklist may also be adopted.

(Control system functional configuration)
35 shows an example of a functional configuration of the control system 600. As shown in FIG. 35, the control system has a first account operation unit 610, a second account operation unit 620, an LOA generation unit 630, a setting unit 640, a GUI unit 650, and a data storage unit 660.

The data storage unit 660 stores information received by the GUI unit 650 from the user terminal 500 (such as setting information entered by the user via the GUI). The first account operation unit 610, the second account operation unit 620, the LOA generation unit 630, and the setting unit 640 read the information stored in the data storage unit 660 to obtain information necessary for processing related to the user.

The first account operation unit 610 instructs the first account of cloud A to create a hosted connection that constitutes a closed network for the second account of cloud A. The second account operation unit 620 instructs the second account of cloud A to create a hosted virtual interface to be used in the hosted connection for the user's account of cloud A.

The LOA generation unit 630 generates an LOA to prove that the address and ASN included in the attributes of the hosted virtual interface are those loaned to the user by the partner, and provides the LOA to the user. The setting unit 640 sets the route information that the user accepts from among multiple route information advertised by the cloud via BGP in the router.

(Example of device hardware configuration)
The display control system 100, the control device 200, the monitoring device 300, the setting GUI device, the monitoring GUI device, and the control system 600 can all be realized, for example, by executing a program on a computer.

Figure 36 is a diagram showing an example of the hardware configuration of the computer in this embodiment. If the computer is a virtual machine, the hardware configuration is a virtual hardware configuration. The computer in Figure 36 has a drive device 1000, an auxiliary storage device 1002, a memory device 1003, a CPU 1004, an interface device 1005, a display device 1006, and an input device 1007, which are all interconnected by a bus B.

The program that realizes the processing on the computer is provided by a recording medium 1001, such as a CD-ROM or a memory card. When the recording medium 1001 storing the program is set in the drive device 1000, the program is installed from the recording medium 1001 via the drive device 1000 into the auxiliary storage device 1002. However, the program does not necessarily have to be installed from the recording medium 1001, but may be downloaded from another computer via a network. The auxiliary storage device 1002 stores the installed program as well as necessary files, data, etc.

When an instruction to start a program is received, the memory device 1003 reads out and stores the program from the auxiliary storage device 1002. The CPU 1004 realizes the functions related to the device in accordance with the program stored in the memory device 1003. The interface device 1005 is used as an interface for connecting to a network. The display device 1006 displays a GUI (Graphical User Interface) based on the program, etc. The input device 1007 is composed of a keyboard and mouse, buttons, a touch panel, etc., and is used to input various operational instructions.

(Summary of the embodiment)
This specification discloses at least the following control system, closed network connection setting method, and program.
(Section 1)
A control system for executing a process for connecting a router used by a user to a cloud via a closed network, comprising:
a first account operation unit that instructs a first account of the cloud to create a connection that constitutes the closed network with respect to a second account of the cloud;
a second account operation unit that instructs the second account of the cloud to create a virtual interface to be used in the connection for the account of the user of the cloud.
(Section 2)
The control system of claim 1, further comprising: an LOA generation unit that generates an LOA to prove that the address and ASN included in the attributes of the virtual interface are those loaned to the user by a partner, and provides the LOA to the user.
(Section 3)
3. The control system according to claim 1 or 2, further comprising a setting unit that sets in the router route information that the user accepts, from among a plurality of route information advertised by the cloud via BGP.
(Section 4)
A closed network connection setting method executed by a control system that executes a process for connecting a router used by a user and a cloud via a closed network, comprising:
a first account operation step of instructing a first account of the cloud to create a connection constituting the closed network with respect to a second account of the cloud;
a second account operation step of instructing the second account of the cloud to create a virtual interface to be used in the connection for the account of the user of the cloud.
(Section 5)
A program for causing a computer to function as each unit in the control system according to any one of claims 1 to 3.

Although the present embodiment has been described above, the present invention is not limited to this specific embodiment, and various modifications and variations are possible within the scope of the gist of the present invention as described in the claims.

10 Router 20 Add-on component 30 Leaf 60 Core 100 Display control system 110 Setting GUI unit 120 Monitoring GUI unit 200 Control device 300 Monitoring device 500 User terminal 600 Control system 610 First account operation unit 620 Second account operation unit 630 LOA generation unit 640 Setting unit 650 GUI unit 660 Data storage unit 1000 Drive device 1001 Recording medium 1002 Auxiliary storage device 1003 Memory device 1004 CPU
1005 Interface device 1006 Display device 1007 Input device

Claims (5)

A control system for executing a process for connecting a router used by a user to a cloud via a closed network, comprising:
a first account operation unit that instructs a first account of the partner in the cloud to create a connection constituting the closed network for a second account of the partner for the user in the cloud;
a second account operation unit that instructs the second account of the partner in the cloud to create a virtual interface to be used in the connection for the account of the user in the cloud. The control system according to claim 1, further comprising: an LOA generation unit that generates an LOA to prove that the address and ASN included in the attributes of the virtual interface are loaned to the user by the partner, and provides the LOA to the user. The control system according to claim 1 or 2, further comprising a setting unit that sets, in the router, route information that the user accepts, among a plurality of pieces of route information advertised from the cloud by BGP. A closed network connection setting method executed by a control system that executes a process for connecting a router used by a user and a cloud via a closed network, comprising:
a first account operation step of instructing a first account of the partner in the cloud to create a connection constituting the closed network for a second account of the partner for the user in the cloud;
a second account operation step of instructing the second account of the partner in the cloud to create a virtual interface to be used in the connection for the account of the user in the cloud. A program for causing a computer to function as each part of a control system according to any one of claims 1 to 3.

Images